Technical summary: This detection rule monitors inbound messages for PDF attachments and triggers when at least one PDF attachment satisfies all of the following conditions: (1) the PDF's Exif-derived page count is 2 pages or fewer; and (2) the PDF contains embedded URLs with a root domain of workers.dev. When such a combination is found, the rule emits a detection with medium severity, marked as an attack type of Credential Phishing. The corresponding tactics include PDF usage, leveraging a free subdomain host (workers.dev) and evasion techniques. Detection methods used are file analysis (to access the attachment), Exif analysis (to read page count), and URL analysis (to scan URLs inside the document). This pattern is intended to identify abuse of Cloudflare Workers infrastructure to host malicious content delivered via PDFs embedded in inbound messages. Note: the description states “fewer than 5 pages,” but the implementation enforces page_count <= 2; this discrepancy should be clarified or corrected in the rule.